Bug#165155: marked as done (Security Problems in apache =< 1.3.27)
Your message dated Tue, 25 May 2004 14:47:06 -0400
with message-id <E1BSgx8-00051j-00@newraff.debian.org>
and subject line Bug#165155: fixed in apache 1.3.31-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 17 Oct 2002 08:34:50 +0000
>From ruben@puettmann.net Thu Oct 17 03:34:50 2002
Return-path: <ruben@puettmann.net>
Received: from mout0.freenet.de [194.97.50.131] (exim)
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 18267F-00057p-00; Thu, 17 Oct 2002 03:34:49 -0500
Received: from [194.97.50.144] (helo=mx1.freenet.de)
by mout0.freenet.de with esmtp (Exim 4.10)
id 18267D-0002YQ-00
for submit@bugs.debian.org; Thu, 17 Oct 2002 10:34:47 +0200
Received: from work.freenet-ag.de ([194.97.7.45])
by mx1.freenet.de with smtp (Exim 4.10 #1)
id 18267D-0000ry-00
for submit@bugs.debian.org; Thu, 17 Oct 2002 10:34:47 +0200
Date: Thu, 17 Oct 2002 10:29:09 +0200
From: Ruben Puettmann <ruben@puettmann.net>
To: submit@bugs.debian.org
Subject: Security Problems in apache =< 1.3.27
Message-Id: <20021017102909.7d3263fd.ruben@puettmann.net>
Organization: Puettmann.NeT
X-Mailer: Sylpheed version 0.8.5claws (GTK+ 1.2.10; )
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
micalg="pgp-sha1"; boundary="=.8kvJ3_cO4Qw_8d"
Delivered-To: submit@bugs.debian.org
X-Spam-Status: No, hits=-6.1 required=5.0
tests=NOSPAM_INC,PGP_SIGNATURE_2,SIGNATURE_LONG_SPARSE,
SPAM_PHRASE_00_01
version=2.41
X-Spam-Level:
--=.8kvJ3_cO4Qw_8d
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Package: apache-common
Version: 1.3.26-1
Severity: normal
Today from an posting on bugtraq:
Return-path:
<bugtraq-return-6871-ruben.puettmann=freenet-ag.de@securityfocus.com>
Delivery-date: Thu, 17 Oct 2002 01:23:35 +0200
Received:
from [194.97.50.135] (helo=mx2.freenet.de) by
mbox5.freenet.de with asmtp (ID exim) (Exim 4.10 #1) id 181xVm-0005jc-00 for
ruben.puettmann@freenet-ag.de; Thu, 17 Oct 2002 01:23:34
+0200 Received:
from outgoing2.securityfocus.com ([205.206.231.26]
helo=outgoing.securityfocus.com) by mx2.freenet.de with esmtp (Exim 4.10 #1)
id 181xVm-0000Ey-00 for ruben.puettmann@freenet-ag.de; Thu,
17 Oct 2002 01:23:34 +0200 Received:
from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19]) by outgoing.securityfocus.com (Postfix) with QMQP id
7D83A8F308; Wed, 16 Oct 2002 15:40:34 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com;
run by ezmlm Precedence:
bulk
List-Id:
<bugtraq.list-id.securityfocus.com>
List-Post:
<mailto:bugtraq@securityfocus.com>
List-Help:
<mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe:
<mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe:
<mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To:
mailing list bugtraq@securityfocus.com
Delivered-To:
moderator for bugtraq@securityfocus.com
Received:
(qmail 15874 invoked from network); 16 Oct 2002 22:10:15
-0000 From:
David Wagner <daw@cs.berkeley.edu>
Message-ID:
<200210162232.g9GMWQr19246@mozart.cs.berkeley.edu>
Subject:
Apache 1.3.26
To:
bugtraq@securityfocus.com
Date:
Wed, 16 Oct 2002 15:32:26 -0700 (PDT)
X-Mailer:
ELM [version 2.5 PL6]
MIME-Version:
1.0
Content-Type:
text/plain; charset=us-ascii
Content-Transfer-Encoding:
7bit
Envelope-to:
ruben.puettmann@freenet-ag.de
I recently did a very brief (and non-exhaustive) security audit of
Apache 1.3.26, and noticed some small potential bugs in some of the
helper programs that come with the distribution.
Apache maintainers have been notified, and the most serious of these
bugs have been fixed in 1.3.27. I'm sending this primarily to document
for the record what vulnerabilities existed and were fixed. This audit
can be found on Sardonix at https://sardonix.org/audit/apache-45.html
Also, I noticed a few suspicious code fragments, which weren't fixed
in 1.3.27. For the most part, their security consequences looked
less dire, or minimal. I'll describe these as well for completeness.
Can anyone else take a look at these and see if I overlooked anything?
1. Buffer overrun in support/ab.c:read_connection()
char buffer[8192];
char servername[1024];
static void read_connection(struct connection * c) {
...
r = ab_read(c->fd, buffer, sizeof(buffer));
...
char *p, *q;
p = strstr(c->cbuff, "Server:");
q = servername;
if (p) {
p += 8;
while (*p > 32)
*q++ = *p++;
}
*q = 0;
Impact: Anyone using ab to connect to a malicious server may be vulnerable
Fixed in 1.3.27: http://www.apacheweek.com/features/security-13
2. Race condition in support/htpasswd.c:main()
tempfilename = tmpnam(tname_buf);
ftemp = fopen(tempfilename, "w+");
...
copy_file(ftemp, fpw);
Impact: any local user can read, modify contents of Apache password file,
if she exploits this bug when an administrator runs htpasswd
Not fixed in 1.3.27
3. Race condition in support/htdigest.c:main()
tn = tmpnam(NULL);
if (!(tfp = fopen(tn, "w"))) ...
...
sprintf(command, "cp %s %s", tn, argv[1]);
system(command);
Impact: any local user can read, modify contents of Apache password file,
if she exploits this bug when an administrator runs htdigest
Not fixed in 1.3.27
4. Also, totally bogus call to system() in support/htdigest.c:main()
(see above)
Impact: probably none, but htdigest shouldn't be called from CGI scripts, etc.
Not fixed in 1.3.27
5. Buffer overruns in support/htdigest.c:main()
There are many, but here's one:
#define MAX_STRING_LEN 256
int main(int argc, char *argv[]) {
char user[MAX_STRING_LEN];
strcpy(user, argv[3]);
Impact: probably none, but htdigest shouldn't be called from CGI scripts, etc.
Not fixed in 1.3.27
6. strncat() used incorrectly in support/ab.c:main()
char cookie[1024];
int main(int argc, char **argv) {
while ((c = getopt(argc, argv, "..."))) {
switch (c) {
case 'C':
strncat(cookie, "Cookie: ", sizeof(cookie));
strncat(cookie, optarg, sizeof(cookie));
strncat(cookie, "\r\n", sizeof(cookie));
break;
Also, -A, -P, and -H are broken as well.
Impact: probably none, but ab shouldn't be called from CGI scripts, etc.
Fixed in 1.3.27: http://www.apacheweek.com/features/security-13
Acknowledgements: This audit was aided by RATS. Thanks to the RATS authors!
--
Ruben Puettmann
ruben@puettmann.net
http://www.puettmann.net
--=.8kvJ3_cO4Qw_8d
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
iD8DBQE9rnTYgHHssbUmOEIRArRkAJ43V0v31y9jG5qWPZC0oTdFOKdoIQCfePx0
I0PYRE8KdbTkYCJJrMgzk0c=
=O1fn
-----END PGP SIGNATURE-----
--=.8kvJ3_cO4Qw_8d--
---------------------------------------
Received: (at 165155-close) by bugs.debian.org; 25 May 2004 18:53:44 +0000
>From katie@ftp-master.debian.org Tue May 25 11:53:44 2004
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BSh3Y-0000rC-00; Tue, 25 May 2004 11:53:44 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1BSgx8-00051j-00; Tue, 25 May 2004 14:47:06 -0400
From: fabbione@fabbione.net (Fabio M. Di Nitto)
To: 165155-close@bugs.debian.org
X-Katie: $Revision: 1.49 $
Subject: Bug#165155: fixed in apache 1.3.31-1
Message-Id: <E1BSgx8-00051j-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Tue, 25 May 2004 14:47:06 -0400
Delivered-To: 165155-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Source: apache
Source-Version: 1.3.31-1
We believe that the bug you reported is fixed in the latest version of
apache, which is due to be installed in the Debian FTP archive:
apache-common_1.3.31-1_i386.deb
to pool/main/a/apache/apache-common_1.3.31-1_i386.deb
apache-dbg_1.3.31-1_i386.deb
to pool/main/a/apache/apache-dbg_1.3.31-1_i386.deb
apache-dev_1.3.31-1_all.deb
to pool/main/a/apache/apache-dev_1.3.31-1_all.deb
apache-doc_1.3.31-1_all.deb
to pool/main/a/apache/apache-doc_1.3.31-1_all.deb
apache-perl_1.3.31-1_i386.deb
to pool/main/a/apache/apache-perl_1.3.31-1_i386.deb
apache-ssl_1.3.31-1_i386.deb
to pool/main/a/apache/apache-ssl_1.3.31-1_i386.deb
apache-utils_1.3.31-1_i386.deb
to pool/main/a/apache/apache-utils_1.3.31-1_i386.deb
apache_1.3.31-1.diff.gz
to pool/main/a/apache/apache_1.3.31-1.diff.gz
apache_1.3.31-1.dsc
to pool/main/a/apache/apache_1.3.31-1.dsc
apache_1.3.31-1_i386.deb
to pool/main/a/apache/apache_1.3.31-1_i386.deb
apache_1.3.31.orig.tar.gz
to pool/main/a/apache/apache_1.3.31.orig.tar.gz
libapache-mod-perl_1.29.0.2-8_i386.deb
to pool/main/a/apache/libapache-mod-perl_1.29.0.2-8_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 165155@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabio M. Di Nitto <fabbione@fabbione.net> (supplier of updated apache package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 08 May 2004 06:50:52 +0200
Source: apache
Binary: apache-dev apache-common apache-doc apache-utils apache apache-dbg apache-perl libapache-mod-perl apache-ssl
Architecture: source i386 all
Version: 1.3.31-1
Distribution: unstable
Urgency: low
Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
Changed-By: Fabio M. Di Nitto <fabbione@fabbione.net>
Description:
apache - Versatile, high-performance HTTP server
apache-common - Support files for all Apache webservers
apache-dbg - Apache webservers (debugging versions)
apache-dev - Apache webserver development kit
apache-doc - Apache webserver docs
apache-perl - Versatile, high-performance HTTP server with Perl support
apache-ssl - Versatile, high-performance HTTP server with SSL support
apache-utils - Utility programs for webservers
libapache-mod-perl - Integration of perl with the Apache web server
Closes: 165155 227491 235425 247926 248730 249632
Changes:
apache (1.3.31-1) unstable; urgency=low
.
* (Fabio M. Di Nitto)
- New apache upstream release:
+ Removed all patches stolen from CVS HEAD
+ Removed 004_custom_response_segfaults patch (accepted by upstream)
+ Rediffed 500_configure_hashbang, 507_usr_bin_perl_owns_you
+ Updated licence from Apache 1.1 to Apache 2.0
+ Upstream fixes also two bugs tracked in Debian BTS
(Closes: #235425, #165155)
- Enabled mod_log_forensic
+ Added check_forensic to apache-utils and manpage written by us
+ Added 035mod_log_firensic.info
+ Modified 511_log_files_permission
+ Added 513_GNU_xargs to fix check_forensic use of xargs
+ Updated default configs to support forensic in new installations
(Note this might break tools that parse log files blindly)
- Enabled EXPERIMENTAL modules: mod_backtrace and mod_whatkilledus
+ Updated default configs with proper notes
+ Added extra notes in README.Debian
- Build against new perl (Closes: #248730, #249632) and possibly for
the last time.
- Relaxed dependencies on perl. Everything should be working on perl
side now.
- Applied patch to htdigest from Steve Kemp (Closes: #247926)
- Lintian cleanup:
+ apache-doc now reccomends w3m | www-browser
- Added note in README.Debian for the init.d scripts chicken/egg problem
that affect restart functionality. (Closes: #227491)
Files:
9006711d53a06abce29b2001e5d4d78f 1073 web optional apache_1.3.31-1.dsc
ca475fbb40087eb157ec51334f260d1b 3104170 web optional apache_1.3.31.orig.tar.gz
890b44f5622101228f046ca627ee436c 393401 web optional apache_1.3.31-1.diff.gz
892bae2bfa0bc743ea5a1ed8ce897624 1184860 doc optional apache-doc_1.3.31-1_all.deb
875683eecfd3473d6ac9d6d129246b67 327984 devel extra apache-dev_1.3.31-1_all.deb
9321a95534b6217d539d47b80e352b8c 379598 web optional apache_1.3.31-1_i386.deb
19765b2c2fc0f8cd65efb139a5dc1a94 491364 web optional apache-ssl_1.3.31-1_i386.deb
0af77fa4815d546f64c05aec7f52ca78 498304 web optional apache-perl_1.3.31-1_i386.deb
a593af6269712ffbaf3ee2415313c565 9101862 devel extra apache-dbg_1.3.31-1_i386.deb
2626db97446629213a28e9d4dda141cd 836666 web optional apache-common_1.3.31-1_i386.deb
33254ffc89afdb21ca90bba7133e0c8d 264178 web optional apache-utils_1.3.31-1_i386.deb
810846378ada5208adc56eea6091ecbf 483348 web optional libapache-mod-perl_1.29.0.2-8_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAs40MhCzbekR3nhgRAr/hAJ9h0qz/eXyJ7BYsjUxmFeFRYCnuWwCdGa/l
umn9FEx8mz9Ncm6432XpC68=
=8XAn
-----END PGP SIGNATURE-----
Reply to: